Ask Slashdot: Changing Passwords For the New Year? 339
A new submitter asks "Every New Year's Day, I assemble and memorize a random collection of seven to ten mixed-case alphanumeric characters and proceed to change every password I have on the interwebs to these characters (plus a few extra characters unique to the site). The problem is I only change them on the sites I visit. Once in a while, I'll come across a site I haven't visited for a few years, and I may end up not being able to guess the password before the try-lockout takes effect. What are your password-changing rituals, and how do they deal with situations like mine? I do use Keepass for work, but it is sometimes impractical for times I'm at other computers."
Pwdhash (Score:4, Informative)
I use a free implementation of the Stanfard PwdHash algorithm for the Mac called Locksmith (here on the app store [apple.com]). There are also websites that implement PwdHash, and even a Firefox add-on. By changing one master password, all the passwords I generate will automatically be changed when I regenerate them.
Login Anonymouscoward PW passw0rd (Score:2)
It doesn't always work, because sometimes somebody's given it a password other than "password" or "passw0rd" or "Passw0rd", and sometimes I want my actual name on an account, but for the most part the worst case is that somebody will start writing letters to the editor of the New York Times or Podunk Gazette with my name on them, or my Yahoo account will get spam advertising sales in zip codes other than 90210.
Re: (Score:3)
Ahem (Score:5, Insightful)
What a good way to harvest guessing algorithms... Not giving you mine!
Re: (Score:3)
Yeah, if ever there was a phish attempt, this is it. Makes me wonder the common sense of those nominating posts like this.
one a year?? what about places where it's 30 days (Score:5, Funny)
but it's the new year time to change password12 to password1
Lastpass (Score:5, Interesting)
https://lastpass.com/
Re:Lastpass (Score:4, Insightful)
IMHO it has by far the most elegant integration between chrome, FF, android browser and IE6 @ work. Changing passwords on a regular basis causes very little heartburn. Tinfoil hats need not apply though as your passwords aren't stored locally and you rely on the company keeping their db secure... For those who can get past that though, it blows kepass out of the water even when sharing the pass file via something like dropbox.
Re: (Score:2)
Last pass has a password audit feature that shows you where you're using the same password.
Re: (Score:3)
I just write them down in a book. 30 years without a problem. Not posting AC because who cares?
http://xkcd.com/936/ (Score:5, Informative)
http://xkcd.com/936/ [xkcd.com]
Re:http://xkcd.com/936/ (Score:5, Funny)
I only use correct_horse_battery_staple now that I know how hard it is to guess!
Re: (Score:2)
Re: (Score:2)
Yeah but there are no numbers in that and underscore may not be accepted on some sites. Also it's more than 12 characters.
Best solution I came up with is to change the keyboard layout to include diacritical marks and make a password to include some of those characters.éíáý
Re: (Score:2)
That sadly fails on like 40% of the services out there, as they don't allow passwords longer then 20 or so characters.
Re:http://xkcd.com/936/ (Score:4, Insightful)
Re:http://xkcd.com/936/ (Score:4, Funny)
My bank has the same requirement. However, it is only enforced in Javascript. Disable the JS check, and you can use any password you want.
Re: (Score:2)
Ultimately, even that isn't enough to really solve the problem. If you have 2 or 3 sites that you need to track, it's probably not a problem, but these days just about every site demands a log in to use, even free sites, good luck keeping 20 or 30 sites straight even with a simplifier like that. At that point you might as well just use 30 or 40 random characters as you're not going to remember 20 or more unique log ins.
Comment removed (Score:4, Funny)
Re:http://xkcd.com/936/ (Score:5, Interesting)
Be cautious. If www.poorlysecuredforum.com keeps your password in the database, and I hack them and see someone with the user name of DMUTPeregrine and the password of 1CorrectHorseBatteryStaple+poorlysecuredforum.com? I'm going to try logging in here as DMUTPeregrine / 1CorrectHorseBatteryStaple+slashdot.org. And I'll try logging in to wellsfargo.com and citibank and usbank and chase all the same way.
Your suggestion of using a hash as the password is much more secure, assuming you actually use it. But next time you create a hash, try a little trick: google for it. Google is like the world's largest and fastest distributed rainbow table. Last time I checked, googling for the MD5 digest of "12345" returned something like 11,000 hits, all of which said "12345" right there on the search results. Time to go change the hash on my luggage.
Re:http://xkcd.com/936/ (Score:4, Funny)
I use a variant of that: Pick a line from a song you know well. It also works well with monthly rotations: Just pick the nth line from the song. Admittedly, last time I had a problem with that when I needed somebody else to use my account and they couldn't spell Ipanema...
Re: (Score:2)
for passwords are susceptible to dictionary attacks
Not if your password is in a different language! MUHAHAHAHAHA
irony flag (Score:2)
MUHAHAHAHAHA is not the best irony flag.
(For the clueless, cracking dictionaries tend to include foreign language words, for whatever matches "foreign" in your world.)
Any way you do it, you need more than one word, preferably at least three, and you have to be careful that the resulting phrase is not common.
Re: (Score:2)
The set of words is ridiculously larger than the set of characters. That is why passphrases work, they use a larger basis, while keeping the exponent (number of things in you password) small.
Some 5 dictionary words are enough to give you 64 bits of entropy in a large language (like English).
1Password (Score:3)
Enough said.
Re: (Score:2)
Re:1Password (Score:5, Funny)
To whoever stole my account, please give it back.
Re: (Score:3)
Password manager? (Score:5, Informative)
Re:Password manager? (Score:4, Insightful)
Because it can be inconvenient. Say I want to log in to a particular site on a friend's computer. I don't want to download KeePass on their PC, so I have to read the password off my phone. Reading and typing a 20+ character random string without errors is the opposite of convenience.
Re: (Score:2)
Re: (Score:3)
If there's a password you're actually expecting to need to type yourself now and then, use a passphrase or something similar. Even if you aren't concerned with memorizing the passphrase, five or six randomly selected words are usually much easier to type quickly and accurately, and you just need to look at your password vault for a reminder.
Re: (Score:2)
Re: (Score:2)
It isn't really hard to download keepass, and if you use keepass portable it doesn't even need to install and can just run in place. If you don't want to download it you can keep it on a flash drive and run it right off of it. Or (on Android) put it on your phone's SD card and plug it in and run it right off of it.
I guess it depends on how often you end up needing to do it, but for me the occasions in which I need to manually type out passwords is so rare that it's worth the bother. Also, you might find tha
Re: (Score:2)
The answer is still keepass (Score:5, Informative)
Keepass is available for Blackberry, ios, android. (even Windows 7 Mobile, if that's how you roll.) You can migrate database files between PC and handheld device. (Although you should be careful of having company passwords on a personal device -- there might be a policy against that.)
In your case, I'd spend an hour of quality time in keepass changing your passwords, sync it to work and home PC and whatever device you carry, then make all your websites conform.
As to websites you haven't visited in a long time and have forgotten about, I don't have an answer. I have essentially the same problem with forums that require you to register to participate. I may only visit the forum once, but my login is forever.
Re: (Score:2)
I use 1Password. It has a feature of providing an interface with all your passwords, the sites they are for and the last time you changed that password. I have never done so but it would be fairly painless to sort by last modified date and update all of your old passwords.
I don't know Keepass but a quick google search shows this information is stored, so you could always export the data and process it that way if there is no GUI feature.
Re: (Score:2)
True, especially if you always use the same login name, or it requires an email address for login and you've had the same email address since like forever.
Re:The answer is still keepass (Score:4, Interesting)
1. Buy domain.
2. Set up *@domain to forward to your real email account, optionally apply a label (I do this with gmail labels)
3. Register with sitename@domain as email address.
4. Check real email and verify account.
Unique email for each site. No need to guess.
A bonus is that if you start getting spam you can see where it originated by what email it starts coming in on.
I noticed a year or so ago that curse got hacked as I started getting wow phising emails to the email I registered for curse with ;) /dev/nul when it happens :p
Just redirect to
Re: (Score:2)
I think the point was we don't remember everything we've signed up for. I may have used a weak password on what was essentially a throw-away account at the time. But all the same, it might be under my name. So now I'd love to clean up all the accounts I created as a kid.. I'll just never remember them all.
Re: (Score:3)
Because that wouldn't be a malevolent portmanteau, or as I call them malamanteau.
Keepass for everything! (Score:4, Interesting)
I don't care (Score:4, Insightful)
I gave up caring a few years ago. I protect my online banking, amazon etc passwords (write them down at home, long and random) but everything else I couldn't care less. If my Slashdot/openid etc ones get guessed or whatever then I'll just create a new account. Don't kid yourself that anyone cares about your online persona - they don't. Friends will get an email from you about your new G+/facebook account. Everyone else will just not be interested in "RandomInternetGuy10248034034" now being known as "RandomInternetGuy23038908343". It's just not worth the mental effort remembering, nor the paper writing down 40 odd passwords. It's just some website.
Re:I don't care (Score:5, Insightful)
This only applies to people who don't have Moderator or Admin privileges on websites. Otherwise, you need to keep your account safe.
As a regular user, the worst someone can do is a Joe Job, make the compromised account send nasty things to other users, or send a ton of spam.
But if you've ever been a Moderator or Admin, you need to keep your password safe.
Re: (Score:2)
Obviously you don't understand Joe Jobs. There is no need to get anyones password to send emails that appear to come from someone else's address.
Re: (Score:2)
Sure.. but before your friends get a new FB/G+ request, they'll get a whole bunch of spam written as recommendations/requests from you. I get annoyed when my friends spam me. I consider it pretty rude for them not to protect their account as it leaks anything I set as private and exposes me to spam I don't want to see. So I try to encourage my friends to be smart when it comes to things like FB as it's only a useful tool so long as we keep up the signal-to-noise ratio and some minimum amount of security/pri
1Password + Dropbox (Score:2)
I completely adopted the strategy described in this article: The Only Secure Password is the One You Can't Remember [lifehacker.com]. Essentially, I have a different password for every single website, service, etc. and all of them are behind a strong master password in a software called 1Password. The encrypted file is saved to DropBox, so it's both online and on several computers (including my smartphone). For more detailed description and reasoning for why that's good, see the article.
The upsides: It's extremely unlikel
Re: (Score:2)
Re:1Password + Dropbox + CrashPlan (Score:2)
Add CrashPlan into that, and you have a way to recover your passwords even if all your machines are destroyed in a tornado. :) I use all of these together, and I never have trouble getting to a password - even my droid phone can get at them.
Re: (Score:2)
Dropbox isn't a back up service. If you're backing up your data you should be able to recover most if not all of the entries from a backed up copy of the database.
Some I Use only once (Score:2)
There are a handful of sites that I visit very infrequently, like my (now closed) student loan site, or my domain registrar.
When I want to log in, I use the "forgot/reset password feature" and wait for a link to show up in my inbox. I "click here" to change it to something random and needlessly complicated, log in and don't bother writing it down.
Technique for security "questions" (Score:3)
And since it's easy to find out what the make of my first car was, or what year I graduated, I have an alter ego with answers to those questions. I know what year "she" was born, "her" mother's maiden name, etc.
As an extra layer, I don't just answer "What year did you graduate high school" with: 1938.
I say: "year1938". And one more layer:
Since this is likely stored as plain text, I have a site-unique word mixed in:
"year1938banking"
Re:Technique for security "questions" (Score:5, Funny)
user: damnstupidelf
pass: glintprickjuliatrunkwouldexcelhymnallearhopbloat
first girlfriend: razeblazetrudytdmoltnobitalysankassetzd
high school: actsdrurybyrneavailprofit'llsjmeaddrawpave
some_other_weakest_link_in_site_security_question: alleysandalohmichead60fendweighhamlinwillstout
I sign up for site accounts using email addresses at random domains that will expire soon. No chance of plaintext password-reset emails being sent out and intercepted unless the site uses a non-SSL third party relay.
The password files are symmetrically encrypted with a passphrase that isn't used anywhere else. Long diceware passphrases are immune to rainbow tables, dictionary and brute force attacks, and rubber hose cryptanalysis (I can't remember them), although some worthless sites limit the length of password form fields (shouldn't the site salt and hash passphrases to a fixed number of bits immediately, thus negating the need to limit the length? Yes.) and I have to revert to uuencoding 16 bytes from
The password files are on an encrypted partition using an ephemeral key on a netbook and there's a generator for power outages longer than a couple hours. Alt-SysRq-B has been modified to wipe RAM before rebooting. I hooked up a USB heart monitor as an actual deadman switch to use when I sleep.
NO ONE is getting my WoW forum credentials.
Reset the password everytime you visit (Score:2)
Think of it as poor man's federation with you email password.
I don't (Score:5, Insightful)
it's easy (Score:2)
Lockout? (Score:2)
If you have to try so much that you're going to get locked out (surely you suspect something after one or two failed attempts), doesn't the site offer some sort of password retrieval function? I know this doesn't really answer your question directly, but it seems like it would work for the few sites you seem to forget about each year.
What's this? (Score:2)
The annual meeting of paranoid geeks?
There is extremely little value in changing. (Score:5, Insightful)
If you look at all the possible attack vectors and scenarios changing your passwords once a year change your statistical chances of being hacked or losing data very little. The ROI is low enough I wouldn't recommend changing your passwords on a regular schedule.
Picking good (as in hard to crack) passwords is more important. For random web properties using different passwords for each so when one is compromised and caught storing passwords in plain text only one account is compromised is key.
However, that's all not what I want to talk about. This entire question is the result of a huge failure of the industry. Every web site uses a password. Every one has a different idea of what a "good" password is, meaning if you come up with one (or use a generator) it won't always be allowed. Google has taken a step forward with their two factor options (via say, a cell text) but that's not really a practical option for many small web sites.
This is an excellent case for a PKI. Users should generate a public-private key pair, and provide the public key to the web site upon sign up. Extra authentication steps could be done at setup (web of trust a la PGP, known entities, a la X.509, callback texts, whatever). Users would sign a login blob with their private key to authenticate.
Using the same key for many web sites is much less dangerous. Compromising the web sites, and all the public keys, gets the attacker approximately nothing. They can be stored in plain (unencrypted) format on the web server. The only attack is to get the users private key, which can be encrypted on their machine behind passwords, biometrics, or whatever. Getting one user's private key gets you only one user, it's a low value attack.
What's needed is a standard format for this encrypted exchange, and then support by clients (from web browsers to ssh clients) and their corresponding server services. This is where the industry is letting us down.
If the big 15-20 web properties could get together with the big 4 browsers and make this happen it would be huge leap forward.
Re: (Score:3)
Identify what accounts you need to keep secure or protected. Bank accounts, services where your credit card is available for one click purchases, and your email account. use your good passwords on them and rotate them like you are.
Then use one password for all your worthless accounts that truly don't matter. You don't even need to change this one. Still make it a good password though. So if someone hacks slashdot.org, they will get access to my evernote, flicker, and twitter accounts. But I have what 1
You dont get invited to many parties (Score:2)
do you?
Re: (Score:3)
Randomization Between Accounts (Score:2)
I use a separate random user/password for each online account. If I post comments to "angryITworkers.com" (example), and the uid/password gets compromised, there's little to worry about. It cannot be used to access my bank account or other resources. Invalidate the compromised account, and damage will be very limited.
Re: (Score:2)
Keepass might still work (Score:2)
Use LastPass (Score:5, Informative)
LastPass is a web-based service that syncs your passwords across your computers, Android devices, iPhone, and Blackberry. Supposedly, it uses client-side encryption so even if the stored data is compromised, it is useless without your password. Most importantly, it supports Google Authenticator so those with Android devices can use it to generate secure keys needed to log in.
My method (Score:3)
My method has slowly evolved over the years. I grew up on a crappy dial up connection out in the country. Our ISP gave us a generated strong password. Our connection would constantly drop and I would have to enter that password in several times a night. I kept that password and slowly morphed it over time. It kept getting stronger and stronger with every evolution. I did this with 2 passwords. One for secure stuff and one for everything else.
Then not too long ago, I discovered rainbow tables. Pre-generated LM password hashes. My passwords were not in the free tables, but they would be in one of the more detailed collections. Then I started doubling my short passwords by typing them twice. Instant 16 char passwords that were easy to remember and type. Sometimes I would mix it up and use 2 of my old 8 char passwords together. I would think password1 then password2 and type them just as fast.
More recently with smartphones and now tablets, my passwords were just a monster to enter in. One password was lnnLllnnlnnLllnn where l = lower, n = number, L = upper. A total pain when you also have to swap from numbers to letter on the key pad. My current passwords are much simpler, very fast and easy to enter, and even longer than before.
One of the passwords that I just cycled out contained 2 swype-able (dictionary) words and a full 10 digit phone number. My short one was 19 character, easy to remember, and super fast to type on my computer and moble device. Entering the password is much more natural. I can swype on my moble and bounce over to the number pad on my desktop. I work in IT constantly get comments of shock from users when they see me enter my long passwords on systems.
I do reuse passwords on sites more often then I would like to admit. I treat my email as the master password. With that, all other accounts can be reset. I have my financial password, my work password, my social password, and then everything else password. That everything else password is used on all accounts that I don't care about or don't impact me financially. The everything else password never gets changed. I will usually take 3 guesses at a password on a site. If its not my current one, previous one, or the everything password. I then request a password reset and set it to the everything password.
I never know what to put for a password hint on the sites that ask.
Never (Score:2)
I've never changed my slashdot password. Maybe the next decade.
Git+GPG (Score:3)
Git + GPG + a GPG-VIM plugin.
I use "vim" to edit my password file as if it is plain-text; git pull/commit/push to make changes to it.
If I need to roll back, I check out an older copy of the file.
Bad advice: dropbox files can be seen by many (Score:2)
WTF are people suggesting putting anything that you would not want to see the next day in a newspaper on dropbox?
Re: (Score:2)
Which is why the KeePass file is encrypted.
I would worry more about the machines you use themselves being compromised. A simple keylogger might expose all your passwords. Getting your hands on the KDB file is the easy part.
Re:I do not use the same password for multiple sit (Score:4, Informative)
Most websites don't store your password, just a hash of it. When you enter the password, it hashes what you just entered then compares the hashes. Reverse engineering the password when you only have the hash isn't trivial.
Re:I do not use the same password for multiple sit (Score:5, Insightful)
Re:I do not use the same password for multiple sit (Score:5, Informative)
Based on my experiences working on websites, far too many companies store the password in plain text. Many, many more will hash it, but will hash it ineffectively by not salting it. Lots of the people working on these websites don't even understand the kinds of attacks salting and hashing are intended to block.
As an example, look at mailman, the mailing list manager. Not only did it store the plaintext password, it mails it to you monthly. Fortunately, the current developers aren't idiots and have removed this flaw (as of ~2007) but tons of sites out there are still using the old version since I keep getting the "reminders".
Trust me... Spend a bit of time in industry working on these websites, and you'll understand.
Re: (Score:2, Informative)
Not only that. You say 'hey this is insecure' you have to prove it with an exploit. They will fix the exploit missing the point...
Then you they look at you like you are weird trying to attack the site. Got yelled at once for 2 hours straight by a manager who worked on a different product for doing this. Even though my boss explicitly told me to do it. At that point I realized no one really cares until they are hacked and it is in the news.
So I use a pattern based password for web sites and when I buy t
Re: (Score:3)
Website users aren't the same as OS users.
Most website developers don't even understand what a hash is. They are simply not capable of using hashes on their sites, even less to do some sane salting. Most of the top used development frameworks also don't help securing passwords, some even make them harder to secure.
That said, I don't care about people harvesting the passwords I use on most sites.
Re: (Score:2)
I can tell you that RCN cable does. I was with RCN for many years, even using their email. Two years ago I moved, and transferred my service. During the transfer process on the phone, they asked me my 'PIN' number for my voicemail. I didn't know it, because I never set one as I never used RCN voicemail. After answering some other questions, they told me over the phone what my 'PIN' was. Lo and behold it was my RCN email password, that I would never have given them as a voicemail PIN!!! It was complic
Re:I do not use the same password for multiple sit (Score:5, Insightful)
Think of the websites you've used. How many at some point or another have actually emailed your password to you rather than just let you reset it with an email link? I know I have several dozen accounts and a few do indeed email me my password when I pick one. That means they have it in their data somewhere at least at some point in time.
Re: (Score:2)
I can't think of a single site that does this. And I forget my passwords all the time. Every single site seems to generate a new 8 character random password, and email *that* to you, or a link where you can click and enter a new password.
Re:I do not use the same password for multiple sit (Score:4, Interesting)
Bergen University College in Bergen, Norway store plain-text passwords and will email them to you if you request a reset.
Using a commercial system they pay for as an alumni website... I've tried and tried again to point out how stupid it is for a technical college to have such a flaw but they ignore it.
Hopefully there are no other flaws in the site (hah!) :p
Just a real world example of arse security in what one would hope was a serious site.
Comment removed (Score:4, Interesting)
Re: (Score:3)
Some banks I know, Wells Fargo and Capital One do. Try a simple experiment, try logging in with your password in wrong caps, you would still be able to login. I would be really really surprised if they were using a case insensitive hash instead of storing the text and making a case insensitive comparison.
Re: (Score:3)
Or, they could be converting passwords to lowercase before hashing them.
Re: (Score:3)
Hashing is not enough. Proper security is only obtained by salting the passwords before hashing. Without salting, password hashes are only slightly better than clear text, as they are vulnerable to rainbow table attacks. Rainbow tables for 11 character passwords already exist.
Drupal (a popular PHP CMS software) did not salt their password hashes until version 7 (http://stackoverflow.com/questions/5031662/what-is-drupals-default-password-encryption-method), and version 7 came out in 2011. This means most dru
Re: (Score:2)
Re:I do not use the same password for multiple sit (Score:5, Insightful)
That's exactly what I was thinking. For any site that maters, the most they can do is reset it for you, not tell you what it was. Most sites just don't matter. Other than your Karma, how much damage can be done when they hack your Slashdot password?
But I gotta ask, Why bother changing every year?
Changing a secure password offers no additional security. Its not like they wear out.
If crooks haven't broken into the login during the course of the year, changing it may actually make it weaker.
Those hovering over your shoulder to catch one key today and the next key tomorrow should be pretty obvious after a year, don't you think?
The key loggers would have found you long before the year is up, and the timing routines can be outfoxed by simply typing with only one finger, a different
finger each day.
Most sites that force you to change do so more frequently than a year. And 99.44% of them end up having users simply adding ascending digits
to the key, which becomes pretty easy to guess.
Re:I do not use the same password for multiple sit (Score:4, Insightful)
Changing a secure password offers no additional security. Its not like they wear out.
If crooks haven't broken into the login during the course of the year, changing it may actually make it weaker.
One measure of the security of a password is the amount of time it would take to compromise it as compared to its useful lifetime. Assuming the password database is stolen today, would someone be able to compromise your password before you changed it?
Re:I do not use the same password for multiple sit (Score:5, Informative)
XKCD on password security.
http://xkcd.com/936/ [xkcd.com]
Re:I do not use the same password for multiple sit (Score:5, Insightful)
Your statement doesn't take several risk factors into account. Ultimately, risk is something you have to assess for yourself: what is the value of your passwords? Are you guarding multi-million dollar corporate secrets, or are you risking a $50 credit card fee? It makes a difference as to how much effort to put into the task.
Long, random character passwords that are written down using actual pen-on-paper are still very secure against network based attacks. I have yet to see the virus that can read the password off a sticky note.
Having them on a piece of paper stuck in to your monitor in your house is going to expose them only to the people you invite in. Now, if you're talking about passwords at work, then you have coworkers, cleaning people, maintenance people, and all sorts of random passers-by that can read the note. Yes, those are less secure. But again, what are you guarding?
Having them inside a locked desk drawer improves the situation by quite a bit. Only someone who is specifically targeting you is likely to go after them. And if someone's targeting you personally, they'll probably do it the easy way with a keyboard sniffer or virus, rather than trying to break in to your office, bribe your janitor, or pick your desk drawer lock.
That said, in all cases you're still better off with an encrypted storage tool like a yubikey. Keep them with you, keep them encrypted. Much harder to leak that way.
Re: (Score:2)
The main purpose of changing your password is to get back into a secure state. So if your password does get stolen, it isn't a lifetime pass. I can't count the number of people who only discover that they had a stalker ex reading through their email and facebook for years. It's not just corporate data I care about.. a lot of people will sign into their services on random phones/computers to send a quick message or kill some time. Sooner or later, they'll sit down on a machine that'll send their creds to a s
Re: (Score:2)
What's considered a strong password has changed over time.
Since last year at this time? Please.
Re: (Score:2)
Re: (Score:2)
Why under the keyboard? If someone breaks into my house, the last thing I will worry about is them stealing my passwords. Really, complex password schemes for trivial website and blog registrations is just an exercise in vanity. Guess what? Nobody cares!
Re: (Score:3)
Re: (Score:2)
Assuming they know this, which they wont unless they get his plain text password for multiple sites and compare...
Re:Congratulations (Score:4, Funny)
Of course they know this, he just advertised it on a the goddamned Slashdot frontpage!
Re: (Score:3)
Re:Congratulations (Score:5, Insightful)
I keep my passwords safe by not bragging about my selection strategies on slashdot.
Re: (Score:2)
Pick long words that are easy for you to remember.
Pick your state or town, full work phone, and favorite monopoly property(or first pet, author, or street).
Orlando5558242222NewYork
That phone number will feel a little awkward to type at first, but try using the number pad. Before you know it, you fingers will type it faster than you can say it. That number adds 10 extra characters that you can remember with out thinking about.
Re: (Score:3)